Cisco Systems OL-24201-01 manual Failure Options

Chapter 3 ACS 5.x Policy Model

Access Services

•Identity Sequence—Sequences of the identity databases. The sequence is used for authentication and, if specified, an additional sequence is used to retrieve only attributes. You can select multiple identity methods as the result of the identity policy. You define the identity methods in an identity sequence object, and the methods included within the sequence may be of any type.

There are two components to an identity sequence: one for authentication, and one for attribute retrieval. The administrator can select to perform authentication based on a certificate or an identity database or both.

–If you choose to perform authentication based on a certificate, ACS selects a single certificate authentication profile.

–If you choose to perform authentication based on an identity database, you must define a list of databases to be accessed in sequence until authentication succeeds. When authentication succeeds, any defined attributes within the database are retrieved.

In addition, you can define an optional list of databases from which additional attributes are retrieved. These additional databases can be accessed irrespective of whether password- or certificate-based authentication was used.

When certificate-based authentication is used, the username field is populated from a certificate attribute and is used to retrieve attributes. All databases defined in the list are accessed and, in cases where a matching record for the user is found, the corresponding attributes, are retrieved.

Attributes can be retrieved for a user even if the user’s password is marked that it needs to be changed or if the user account is disabled. Even when you disable a user’s account, the user’s attributes are still available as a source of attributes, but not for authentication.

Failure Options

If a failure occurs while processing the identity policy, the failure can be one of three main types:

•Authentication failed—ACS received an explicit response that the authentication failed. For example, the wrong username or password was entered, or the user was disabled.

•User/host not found—No such user/host was found in any of the authentication databases.

•Process failed—There was a failure while accessing the defined databases.

All failures returned from an identity database are placed into one of the types above. For each type of failure, you can configure the following options:

•Reject—ACS sends a reject reply.

•Drop—No reply is returned.

•Continue—ACS continues processing to the next defined policy in the service.

The Authentication Status system attribute retains the result of the identity policy processing. If you select to continue policy processing in the case of a failure, this attribute can be referred to as a condition in subsequent policy processing to distinguish cases in which identity policy processing did not succeed.

Because of restrictions on the underlying protocol being used, there are cases in which it is not possible to continue processing even if you select the Continue option. This is the case for PEAP, LEAP, and EAP-FAST; even if you select the Continue option, the request is rejected.

The following default values are used for the failure options when you create rules:

•Authentication failed—The default is reject.

•User/host not found—The default is reject.

•Process failure—The default is drop.